SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Aug 1999
    Posts
    218
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Storing Last 4 Digits of a Credit Card Number

    Hi:

    We're building our own shopping cart currently and initially I'd wanted to store credit card numbers on our server and encrypt them but after reading a lot of posts here I see that this is not smart for us to do considering our programmers have never created a cart where the credit card numbers are stored on the database.

    But I have read here that storing the last four digits of a credit card number is potentially an option as long as these last 4 numbers of the CC are encrypted and your usernames and passwords are encrypted on your database. I've read that the rest of the credit card number can be stored on the payment gateway server. For instance someone said that you can contact the merchant provider CDG Commerce and they offer a way to store part of the CC number on your server and part of the CC number on the gateway's server for free. We were going to go with Wells Fargo as our provider and Authorize.net as our payment gateway with a Versign SSL Certificate, but we may adjust if this only works with other providers and gateways.

    So I'm imagining how this works is the customer enters their credit card number: 1234-5678-9101-1121

    This is stored on Authorize.net's server:
    1234-5678-9101-1121 (the last 4 digits are there to connect with the 4 digits stored on our server)

    And this is stored on our server connected to the customer who entered it:
    1121

    So then the customer orders, leaves the site, and comes back the next day and goes to place an order. They log in with their Email Address and Password and then get to the payment page and they see their credit card:
    Visa ****-****-****-1121

    And this somehow connects up with their CC number on the Authorize.net server and the transaction goes through. Is this how this works? Does this sort of thing work with all payment gateways?

    And then the major issue I see with this is that their Email Address and Password basically give access the last 4 digits of people's credit card and to purchases on our site and we'd need to protect these two entities very securely because if someone accessed them then even though they couldn't directly get the CC numbers in their entirety they could illegally purchase a heck of a lot of products from our site if they were so inclined.

    So please clarify if this how this all works and if it's safe.

  2. #2
    SitePoint Wizard HarryR's Avatar
    Join Date
    Dec 2004
    Location
    London, UK
    Posts
    1,376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    Usually I don't bother with storing any part of the credit card number or expiry date on our servers and leave that part upto the merchant.

    For convenience we usually only keep their address details and shipping preferences as they can be a pain to fill in each time, but when they come to ordering a product we usually display a message saying 'For your security we do not store any of your credit card information on our servers, you will need to enter this payment information every time you place an order' etc. so they atleast understand the security versus convenience problem.

    I really don't like the idea of storing any payment information just for the sake of convenience.. I stopped using register.com when they implemented their 'one click' ordering system a while ago, simply because I wasn't happy knowing that anybody who found out the username and password I used at register.com would be able to rack up huge bills on my credit card.

    Some merchants do offer you ways to perform another charge to a person credit card without re-submitting all the information (e.g. for recurring charges etc.), and this usually involves them giving you a fairly large random token which uniquely identifies both you and the persons payment details on their system - so if stolen it couldn't be used anywhere else.

    As for displaying the last four digits of their credit card when sending recipts of purchase or on an order log - I think thats ok (well, atleast for me it is).. Most people usually try and keep track of what they've purchased, so an email such as "We have successfully charged your Mastercard which ends with '1234' a total of $139.25" would be perfectly acceptable.

    Regards,
    - Harry

  3. #3
    SitePoint Wizard big_al's Avatar
    Join Date
    May 2000
    Location
    Victoria, Australia
    Posts
    1,661
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you do want to store the card numbers, you may store the first 6 and last 3 digits of the number, these only contain the BIN (Bank Identification Number) and checksums.
    .NET Code Monkey

  4. #4
    SitePoint Addict
    Join Date
    Aug 1999
    Posts
    218
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was thinking storing CC numbers for convenience. It's my guess that most decent online retailers provide this, but I can't really check since I don't want to place a bunch of orders just to see if they store my credit card. I know Amazon.com and BarnesandNoble.com both store credit cards and they show the last 5 digits, but of course they have the money for security and probably store these digits on their servers. For our purposes I'm thinking we'd need to store 4 or more digits to ensure than no two people get the same digits. But I'm still wondering is this something that payment gateways will provide?

  5. #5
    SitePoint Zealot
    Join Date
    Apr 2004
    Location
    LA
    Posts
    189
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Let the gateway handle the card # sorage. Thsi way you will not run into any problems. However, you should get you cart CISP certified.

    http://www.visa.com/cisp


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •